Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict Access To Microsoft Entra ID Administration Portal

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk Level: High (not acceptable risk)
Rule ID: ActiveDirectory-015

Ensure that "Restrict access to Microsoft Entra ID administration portal" policy is set to "Yes" within your Microsoft Entra ID (AD) settings to deny access to the Microsoft Entra ID administration portal for all non-administrator users. This setting is limited to administration portal only and enabling it does not restrict access using PowerShell or another client such as Microsoft Visual Studio. By default, "Restrict access to Microsoft Entra ID administration portal" is set to "No".

This rule resolution is part of the Conformity Security & Compliance tool for Azure.

Security

The Microsoft Entra ID administrative portal provides access to sensitive or private information, therefore all non-admin users should be prohibited from accessing any Microsoft Entra ID resource or information available on the administration portal in order to avoid data exposure.

Audit

To determine if non-admin users have access to Microsoft Entra ID administration portal, perform the following actions:

Note: Fetching "Restrict access to Microsoft Entra ID administration portal" configuration setting status using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user settings.

05 On the User settings configuration page, under Administration portal, check Restrict access to Microsoft Entra ID administration portal setting configuration. If Restrict access to Microsoft Entra ID administration portal policy is set to No, users without administrative privileges can use Microsoft Entra ID administration portal to access directory data and resources, thus the current Microsoft Entra ID user configuration is not compliant.

06 Repeat steps no. 3 – 5 for each Microsoft Microsoft Entra ID that you want to examine.

Remediation / Resolution

By setting "Restrict access to Microsoft Entra ID administration portal" to "Yes", only Microsoft Entra ID administrators can get further access to administration portal, protecting Microsoft Entra ID data from unauthorized users. To enable the required setting, perform the following actions:

Note: Restricting non-administrator users' ability to access Microsoft Entra ID administration portal using Microsoft Graph API or Azure CLI is not currently supported.

Using Azure Console

01 Sign in to Azure Management Console.

02 Navigate to Microsoft Entra ID blade at https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Overview.

03 In the navigation panel, select Users.

04 Under All users, select User settings to access Microsoft Entra ID user configuration settings.

05 On the User settings configuration page, under Administration portal, select Yes next to Restrict access to Microsoft Entra ID administration portal setting to disable non-administrator users' ability to access Microsoft Entra ID administration portal.

06 Click Save to apply the configuration changes. If the request is successful, the following message should be displayed: "Successfully updated user settings". Once the changes are saved, only the Microsoft Entra ID users with an administrator role can access sensitive data available on the administration portal.

07 Repeat steps no. 3 – 6 for each Microsoft Entra ID that you want to reconfigure in order to restrict non-admin access to Microsoft Entra ID administration portal.

References

Publication date Aug 30, 2019

Related ActiveDirectory rules

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Restrict Access To Microsoft Entra ID Administration Portal

Risk Level: High